Re: [Django] #35796: Add signing support to the CSRF cookie

[Django]

#35796: Add signing support to the CSRF cookie
-------------------------------------+-------------------------------------
Reporter: Benjamin Zagorsky | Owner: (none)
Type: New feature | Status: closed
Component: CSRF | Version: dev
Severity: Normal | Resolution: wontfix
Keywords: csrf cookie signing | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Benjamin Zagorsky):

I've vetted the plan more thoroughly on the Django Forum and have updated
the ticket.

Replying to [comment:1 Natalia Bidart]:
> Hello Benjamin!
>
> Adding a new setting to Django is quite controversial, and something
that we try to avoid. Because of that, this requires an explicit agreement
with the community. Besides the new setting proposal, I do understand that
this report comes along with a new feature request, which would be adding
"automatic" CSRF cookie signing to Django. For cases like this, the
recommended path forward is to first propose and discuss the idea with the
community and gain consensus. To do that, please consider starting a new
conversation on the [https://forum.djangoproject.com/c/internals/5 Django
Forum], where you'll reach a broader audience and receive additional
feedback.
>
> I'll close the ticket for now, but if the community agrees with the
proposal, please return to this ticket and reference the forum discussion
so we can re-open it. For more information, please refer to
[https://docs.djangoproject.com/en/stable/internals/contributing/bugs-and-
features/#requesting-features the documented guidelines for requesting
features].
>
> Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/35796#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#35796: Add signing support to the CSRF cookie
-------------------------------------+-------------------------------------
Reporter: Benjamin Zagorsky | Owner: (none)

Type: New feature | Status: new

Component: CSRF | Version: dev
Severity: Normal | Resolution:

Keywords: csrf cookie signing | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Benjamin Zagorsky):

* resolution: wontfix =>
* status: closed => new

--
Ticket URL: <https://code.djangoproject.com/ticket/35796#comment:4>

[Django]

#35796: Add signing support to the CSRF cookie
-------------------------------------+-------------------------------------
Reporter: Benjamin Zagorsky | Owner: (none)

Type: New feature | Status: closed
Component: CSRF | Version: dev
Severity: Normal | Resolution: wontfix

Keywords: csrf cookie signing | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Sarah Boyce):

* resolution: => wontfix
* status: new => closed

Comment:

Thank you for creating the forum discussion and updating the proposal

As you're suggesting adding a new setting, we usually need quite a strong
consensus to do this and I don't currently see much engagement on the
discussion in favor of the proposal
You might need to bump or promote/share around the discussion to get more
thoughts from others
--
Ticket URL: <https://code.djangoproject.com/ticket/35796#comment:5>